Exclude some clients in LAN captive portal

  • Hi, I am new to PfSense and got into it because of its control on firewall. Anyway I have 4 interface WAN, LAN, Opt1, and Opt2. I setup a captive portal using free radius in LAN.. everything works fine.. now there are some clients with static ip that i want to exclude in Captive portal.. but when I enable the cp they cant connect to the internet they first need to login to the cp before accessing the internet.. and I want to exclude them. And route them using the Opt1 or Opt2 interface.. my question is. Is this possible and can you please give me some ideas how to.. i did look into some topics about this but just cant seem to find something similar.


  • Edit your CP, go to the "Allowed IP Addresses" tab and add the IPs you want to exlude from auth.

    What do you mean with "And route them using the Opt1 or Opt2 interface.."?

  • Thank you for replying. What i mean is the captive portal is using wan gateway to access internet.. i want those excluded ipaddress to use opt1 or opt2 to connect to internet.

  • @alexcheddar said in Exclude some clients in LAN captive portal:

    .... i want those excluded ipaddress to use opt1 or opt2 to connect to internet.

    These are the same devices that have static IP settings, right ?
    What about setting the gateway setting on these devices ?

    Your OPT1 and/or OPT2 interfaces are WAN connections ?

    What are these devices with static IP settings ? The AP's on your captive portal network ?

  • So if there are gateways on OPT1 and OPT2 network add them in System > Routing > Gateways and use 'policy routing' to route traffic to these gateways.

    Add all your excluded devices to an alias, add a filter rule to the LAN interface which allow the wanted upstream traffic. Use the alias as source here, open the advanced options, go down to Gateway and select the gateway you want the traffic to route to.

  • @gertjan Thanks.. I came up with a solution so i disable the default allow lan to any rule.. so that anyone connected to LAN can't have internet access..unless i specified a rule that allows that ipaddress in LAN. in creating a rule for that IP. it also allow me to choose to what gateway it will get its internet connection.

    My problem now is that, the allowed ip address connects to internet well but when i login to splash page using free radius account.. (using different device) there is no internet connection for captive portal users.

  • ... that's why a captive portal should be run on its own dedicated, OPTx, interface.
    This interface should contain at least some more or less restrictive rule to access the Internet (and maybe a DNS access if pfSense isn't the default Resolver?!) after authentication.

    When the captive portal authenticates a user, some ipfw rules (see the doc, these are not the GUI firewall rules) are added. In your case the user will then hit GUI firewall of the interface on what the captive portal is running. No a good setup.
    read this https://www.netgate.com/docs/pfsense/captiveportal/index.html - do not forget the last part, where ipfw is explained.

  • @viragomann Thanks gonna look into it

  • @gertjan Thanks.. a documentation would really help me.

  • @gertjan Thanks I read the documentation and things works as expected now. But is there any link or url that i can type to logout manually in CP?

  • @alexcheddar said in Exclude some clients in LAN captive portal:

    But is there any link or url that i can type to logout manually in CP?

    As you can see on the settings page, there is a logout page. Also mentioned is the that this page is a popup :

    The link to this page, as shown in the navigator bar, is the logout URL.

    Now the fun part.
    You will probably find out that you didn't saw any popup when logging in. You'd say : it doesn't work.
    Now it 's time that that you recall that you, and everybody else on the planet have blocked popups in your navigator. You could enable your popups again, but your portal visitor won't.

    You could show the link on the portal login page, and mention on that page that people should copy it on a safe place (making a favorite link of it ?) but most visitors probably won't.

    Next best solution : make the Idle time out (and hard time out) counter as low as possible (although when visitors think that they de-connected because they closed all navigators windows, all other processes, like fat mail clients, OS updates, all kind of device drivers GUI update programs, scanners en trojans etc will still use the connection, so it will never Idle out. A Wifi connection could be closed "by hand" (the button, or by GUI), but again, most just visitors don't that ...

    There is a huge thread in this forum that treats the subject rather well, and explains why a real "logout button" is very hard to "close to impossible" to implement.